Which versions of OpenClaw are affected by CVE-2026-43531?

OpenClaw npm package versions before 2026.4.9 contain an environment variable injection vulnerability that allows local attackers with low privileges to redirect package updates, intercept gateway…. A patch is available.

How to fix or mitigate CVE-2026-43531?

Within 24 hours: Inventory all projects and systems using OpenClaw npm package and verify installed versions. Within 7 days: Upgrade OpenClaw to version 2026.4.9 or later (2026.4.14 recommended) across all affected environments; validate upgrades in development/staging first. Within 30 days: Audit shared workspace configurations, implement file permissions restrictions on .env files in version control systems, and conduct supply-chain risk review for any packages pulled during the vulnerable window.

OpenClaw CVE-2026-43531

Q: What is the CVSS score of CVE-2026-43531?

CVE-2026-43531 has a CVSS 4.0 base score of 7.0 (High). CVSS vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-27273 HIGH

External Control of System or Configuration Setting (CWE-15)

2026-05-05 VulnCheck

Code Injection

7.0

CVSS 4.0

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

Scope

Lifecycle Timeline

Analysis Updated

May 05, 2026 - 12:49 vuln.today

v2 (cvss_changed)

Re-analysis Queued

May 05, 2026 - 12:37 vuln.today

cvss_changed

CVSS changed

May 05, 2026 - 12:37 NVD

7.3 (HIGH) 7.0 (HIGH)

Source Code Evidence Fetched

May 05, 2026 - 12:19 vuln.today

Analysis Generated

May 05, 2026 - 12:19 vuln.today

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

1 npm packages depend on openclaw (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 2026.4.9.

DescriptionNVD

OpenClaw before 2026.4.9 contains an environment variable injection vulnerability allowing malicious workspace .env files to set runtime-control variables. Attackers can inject variables affecting update sources, gateway URLs, ClawHub resolution, and browser executable paths to compromise application behavior.

AnalysisAI

Environment variable injection in OpenClaw npm package versions before 2026.4.9 allows local attackers with low privileges to compromise application behavior through malicious workspace .env files. Attackers can redirect update sources to serve backdoored packages, modify gateway URLs and ClawHub resolution endpoints to intercept traffic, and override browser executable paths to launch attacker-controlled binaries. …

RemediationAI

Within 24 hours: Inventory all projects and systems using OpenClaw npm package and verify installed versions. Within 7 days: Upgrade OpenClaw to version 2026.4.9 or later (2026.4.14 recommended) across all affected environments; validate upgrades in development/staging first. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-43531 vulnerability details – vuln.today

Back

OpenClaw CVE-2026-43531

CVSS VectorNVD

Lifecycle Timeline

Blast Radius

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

OpenClaw CVE-2026-43531

CVSS VectorNVD

Lifecycle Timeline

Blast Radius

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code